Card Not Present Fraud , Fraud Management & Cybercrime , ID Fraud
Medical Center Fraud Cases: 2 Indicted
Federal Income Tax and Billing Fraud AllegedThe Department of Justice has announced the indictments of two individuals in separate fraud incidents that affected the University of Pittsburgh Medical Center.
One case involves more than $2.2 million in attempted federal income tax fraud allegedly committed using identity information stolen from a UPMC employee database during a breach last year. The other involves about $200,000 worth of billing fraud allegedly committed by a former UPMC Health Plan claims supervisor.
See Also: The Expert Guide to Mitigating Ransomware & Extortion Attacks
The cases spotlight the challenges healthcare organizations face in the ongoing fight against fraud and call attention for the need to improve detection of suspicious activities.
"Healthcare records - patient or financial - are rich with the data needed for identity theft, tax fraud and medical identity theft," says security and privacy expert Tom Walsh, CEO of consulting firm tw-Security. He says organizations need to take a number of steps, including auditing and monitoring user online activities, to help crack down on fraud
Tax Fraud Case
On June 26, the Justice Department announced that Yoandy Perez Llanes, a foreign national residing outside of the U.S., had been indicted for working with co-conspirators to allegedly commit more than $1 million in federal income tax fraud using the personal information of UPMC employees. An arrest warrant was issued for Llanes on June 25, court documents indicate.
The UPMC employee data was allegedly purchased and used by Llanes and the conspirators in the wake of a 2014 hacking attack on a UPMC employee database. That attack resulted in a breach that potentially compromised personal information on virtually all of UPMC's workforce of 62,000 (see Victim Tally in UPMC Breach Doubles).
Prosecutors allege Llanes and unnamed conspirators used stolen identities of UPMC employee breach victims to file fraudulent 2013 federal income take returns seeking refunds. Llanes and the conspirators allegedly converted the tax refunds to Amazon.com gift cards, which were used to buy merchandise that was then shipped internationally. The alleged crimes occurred between January and April, 2014, prosecutors say. In the 21-count indictment, Llanes is charged with conspiracy to defraud the U.S., wire fraud, money laundering and aggravated identity theft.
"While the perpetrators sought approximately $2.2 million in fraudulent refunds, only $1.4 million was actually disbursed as refunds," says a Justice Department statement.
If convicted, Llanes faces a prison term, a fine of up to $5.5 million, or both.
In a statement to Information Security Media Group, UPMC says, "On behalf of our employees whose personal information was compromised by hackers, we applaud the diligent and thorough investigation conducted by the IRS criminal investigation, the U.S. Secret Service and the U.S. Postal Inspection Service leading to the indictment in this case."
Claims Fraud Case
In a separate fraud case, Francine Ann Priestas, a former supervisor in the UPMC Health Plan claims department, was indicted on charges tied to alleged false billing. She is scheduled to be arraigned June 30 in federal court.
UPMC offers a health plan to its workforce as well as to other employers and individuals.
Prosecutors allege that Priestas "caused false information to be entered into the UMPC Health Plan claim system in such a fashion that payment for the claims would be made directly to either the defendant" or another individual.
The alleged entry of fake billing information generated billing statements, which falsely represented that Priestas and others received medical services, prosecutors say.
Priestas allegedly submitted 156 false statements on the UPMC Health Plan claims system and received payments totaling about $185,000. Prosecutors say the 11-count indictment charges Priestas, 47, with mail fraud and healthcare fraud.
In the indictment against Priestas, prosecutors say she and two other unnamed individuals associated with the case all had insurance coverage under the UPMC Health Plan. Court documents say Priestas allegedly used her own identity and information about the other two individuals to make it fraudulently appear on billing statements they received and paid for healthcare treatments at a counseling center, when in fact they did not.
Prosecutors allege Priestas in some cases, assigned claims staff working under her to enter the claims for the fake bills asking the health plan to reimburse the patients for their payments for services, but in most cases, fraudulently used the log-in credentials and password of another employee to enter the claims.
If convicted, Priestas faces a maximum of 210 years in prison, a fine of $2.75 million, or both.
Regarding the Priestas case, a UPMC spokeswoman says the billing scam was identified internally. "While a strong framework of internal controls already existed at the time, which led to the discovery, we continue to focus our efforts to identify payment transactions that potentially are inaccurate or inappropriate. Given the nature of this specific case, further system automation would not have been a deterrent."
Growing Problems
Security experts say health plans and healthcare providers face mounting challenges to prevent fraud involving their data and systems.
"Health plans write checks and make payments as part of doing their business. Therefore, there is always an opportunity for committing fraud," says Walsh, the consultant.
Often, staff that work in billing or claims departments "are some of the lowest paid employees in the organization," Walsh notes. "The work can be difficult and mundane - not a fun job. It can be difficult filling these jobs with good people."
Conducting background-checks before hiring and periodically thereafter is important, Walsh says.When it comes to processes to prevent fraud, "separation of duties is important when handling money or processing checks or credit cards," he says. "Smaller organizations may struggle with obtaining an appropriate separation of duties. Annual financial audits typically try to find single points of failure within a processing system. Processes that incorporate a 'check and balance' approach - where two different individuals would need to work collaboratively to commit fraud, need to be in place."
As for technology that can help prevent or detect fraud, Walsh says, "newer audit tools can 'learn typical behavior' and send out alerts to an internal auditor when users' actions are unusual or abnormal."
Fighting ID Fraud
To ramp up the battle against fraud, including tax fraud involving stolen IDs compromised by data breaches, the federal government needs to bolster its defenses as well, says Mac McMillan, CEO of consulting firm CynergisTek.
"The IRS has the ability to implement two factor authentication for electronic submissions of tax returns," he says. "[IRS] does this for folks that have become the victims of tax fraud to avoid it happening to them again. Why don't we get out ahead of this problem and issue second factors to everyone so that fraudulent electronic filings become a thing of the past?"